Reputation: 78
Laravel 6 session cookies not being set for base domain in Safari 13
In the Laravel framework, setting session cookies on the root domain level is not working in safari 13.0.3, but works in Safari 12, Chrome, and Firefox.
Because cookies are not being set, each page refresh creates a new session and logging in does not work.
I am using the default laravel setup aside from session behavior in app/session.php, where I've changed the SESSION_DOMAIN to the root domain ('.example.test') and set the SESSION_DRIVER to 'database' (following advice from Persisting sessions across subdomains in Laravel 5).
The cookies get set in safari 13 when the domain is set to the full url (subdomain.example.com) but not when changed to the root url (.example.com)
In the Safari debugging tools, I can see the request headers being set and going through, but the cookies never make it into storage.
Network request headers/cookies:
Things I have tried:
- Tried with and without the driver as database
- Changing the session cookie name, the samesite behavior, and the secure behavior in session.php
- adding slash to end of session domain as well as removing the first .
- Incognito / Private browsing mode (doesn't change behavior, still works in chrome but not safari)
- Isolating issue as well as upgrading to latest laravel version (originally noticed on 5.6, still happening in latest release 6.6)
- Turning off cookie encryption
Upvotes: 3
Views: 4029
Answers (1)
Reputation: 161
I can't test on safari 13, but my guess is the recent RFC 6265 (2011):
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.) If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.
Set SESSION_DOMAIN to the root domain example.test without the trailing .
Note that a domain without the trailing . is invalid in the old RFC 2109 (1997), some very old browsers may not accept the cookie. Safari 12 and other popular browsers will accept the cookie because of the RFC 2965 (2000):
If an explicitly specified value does not start with a dot, the user agent supplies a leading dot
Upvotes: 3
Related Questions
- Laravel 5.4 database session not working
- Laravel - Session store not set on request
- how to fix Cookies not setting in laravel 9?
- Laravel Cookies rejected for invalid domain
- Laravel 7: Why isn't my session cookie getting set in a browser?
- laravel session cookie not being set
- Cookies not working in Laravel?
- Why would Laravel Sessions fail in just Safari and IE after switching server?
- Angular: Laravel 5.6 session cookie not set in browser
- Laravel Cookies on test domain